What is our primary use case?
We use this product as our DDoS mitigation solution. This is something that needs to be able to protect against DDoS attacks for Volumetric, Low, and Slow attacks across layer three to layer seven.
The solution also needs to integrate with a scrubbing center and route traffic in the case of a volumetric attack. It must also have deep knowledge of DNS traffic behavior and must have early and accurate detection/mitigation.
A DDoS mitigation solution must be able to handle high rates of DNS packets and provide the best quality of experience, even under attack. It must also be able to allow or block traffic based on geolocation or a specific IP address.
A DNS Subdomain Whitelist is available, allowing only the good DNS queries through.
How has it helped my organization?
This solution is able to mitigate and protect against SSL attacks, which is important because this type of attack is becoming more popular among attackers, as it only requires a small number of packets to cause a denial of service for a fairly large service.
Attackers launch attacks that use SSL because each SSL session handshake consumes more resources from the server-side than from the client-side, meaning the attack has exponentially increased in size without requiring additional bots or bandwidth. As a result of these amplification effects, even a small attack can result in crippling damage
This solution is able to mitigate attacks and provides automated DDoS defense and protection from fast-moving, high volume, encrypted, or very short duration threats. This includes IoT-based attacks like Mirai, Pulse, Burst, DNS, TLS/SSL attacks, and those attacks associated with Permanent Denial of Service (PDoS) and Ransom Denial-of-Service (RDoS) techniques.
What is most valuable?
This product uses auto-learning and behavioral analysis to establish baselines for legitimate traffic, and automatically detects and blocks traffic behavior that does not conform.
The SSL decryptor card comes by default with the appliance and can be enabled if needed with the purchase of a license.
This solution uses asymmetric deployment with a challenge/response mechanism that has lower latency & higher capacity to block SSL/TLS attacks.
Behavior-based protection with automatic signature creation against unknown, zero-day DDoS attacks is employed.
Support for wildcard certificates reduces operational complexity because the admin doesn't have to update it every time a certificate changes.
The Cloud Signaling capability is able to route traffic to the scrubbing center in case of a volumetric attack.
It offers effective protection against DNS attacks.
It provides layer three to layer seven protection in on-premises, cloud, and hybrid environments. It's able to detect and mitigate attacks with no performance impact or risk.
This product has a dedicated DoS mitigation engine (DME) that off-loads high-volume attacks, inspecting without impacting user experience.
What needs improvement?
It does not provide the capability to upload data for blacklisting/whitelisting in bulk. Rather, in cases where many IP addresses need to be blacklisted or whitelisted, either a single IP address has to be added or it needs to be done using a script.
It does not provide default server grouping such as default policy that can be enabled on a Web Server or Application Server IP address.
The dashboard is complicated.
It does not provide real-time traffic details; instead, it only provides logs for blocked traffic. During troubleshooting, a complete log file is required for forensics.
A PCAP file is not provided for individual IP, which is something that should be improved.
What do I think about the stability of the solution?
This is a stable product.
What do I think about the scalability of the solution?
These devices are very much scalable and installed in HA. It provides an automatic passthrough option in the case of ethernet for fiber, where the OEM provides a fiber bypass switch that needs to be installed.
How are customer service and technical support?
Customer support from Check Point and Radware is excellent.
Which solution did I use previously and why did I switch?
We used Cloud Provider Services for DDoS mitigation provided by our ISP. We still use that service for protection against volumetric attacks (Clean Pipe).
How was the initial setup?
The setup was straightforward and the support was excellent.
The configuration requires understanding the services that are hosted against each public IP, as there might be some additional configuration required depending upon the application or services.
What about the implementation team?
This solution was deployed by our in-house team along with the OEM.
What's my experience with pricing, setup cost, and licensing?
The appliance comes with a loaded hardware license, and additional options such as SSL can be purchased and enabled.
Which other solutions did I evaluate?
We evaluated a couple of solutions including Arbor DDoS and a product by F5. We found that Check Point was able to provide us superior capabilities and features on the basis we were evaluating.
What other advice do I have?
My advice for anybody who is considering this product is to evaluate based on the following points:
- Where you want to place or installed your DDOS appliance.
- What throughput mitigation is required.
- Whether the device supports cloud signaling.
- Determine whether the SSL decryption card is available with the box or needs to be purchased in addition.
- License and port requirements in terms of whether you need copper or fiber.
Which deployment model are you using for this solution?